Category: Fixes and Guides

There is a lot of discussion going on about the relative safety of Internet Explorer vs. Firefox. In this article I say why I think most of the commentary is missing the point.

The battle over the question in the title has been raging in discussions all over the Internet. Unfortunately, this is the wrong question. In fact, it is a meaningless question unless a lot of additional factors are considered. Security is a multidimensional problem and cannot be usefully discussed in the kind of simplistic comparisons that are being made.

I am not a professional security expert but there are some pretty obvious points that can be raised about how you define what is meant by “security”. The most popular way seems to be a kind of numerology where somebody with a vested interest like Symantec purports to count “vulnerabilities” or even “possible” vulnerabilities. The conditions where these vulnerabilities apply are usually not specified. Many questions have to be asked before any meaningful assessment of the severity of a problem can be made, For example, does having a firewall prevent them? Do typical anti-malware packages detect them? Does the user have to click on a link or do something stupid for the problem to apply? Can the problem be fixed by changing a default setting? How long does it take before a patch can be made? Not all “vulnerabilities” are created equal. A so-called vulnerability may be “potentially” very dangerous but not be a problem in practice because it easily fixed by standard measures or can only be incurred because of stupidity. So this numbers game looks very misleading to me.

The whole subject is quite complicated but in an attempt to keep this discussion reasonably short I suggest we replace the single question of the title with three questions (all pertain to Windows systems):

Which browser is safer for experienced computer users?

Which browser is safer for average computer users?

Which browser is safer for careless, uninformed or clueless computer users?

The answer to question 1 is that either browser will do. What browser is used by an experienced person is a matter of personal habits and preferences about different browser features. An experienced user knows what security precautions must be taken and will rarely get a problem just because of the browser that is being used. Personally, I use both Internet Explorer (IE) and Firefox. I prefer Firefox for most things but some sites only work in IE.

Next let’s consider question 2. The term “average” computer user covers a lot of different people so only a few generalities can be stated. The average PC user is not going to be familiar with the details of security measures but most will be aware that they need some kind of defense. If they have a PC bought in recent years they will have quite a bit of automatic protection such as anti-virus programs that update themselves and at least the Windows XP firewall. Also Windows update will be set to run unattended. Many PC users also have installed entire security suites. It is important to note the presence of these security measures because otherwise the question of which browser to use is moot.

For those people who have enough other security in place so that they can turn their attention to browser security, one question concerns updates. Both IE and Firefox have periodically been found to have security holes. IE has an apparent advantage in that it is automatically updated whereas at present Firefox has to be patched manually. Typical PC users can be lax about updating so that looks like a point for IE. However, this possible advantage is much lessened or even disappears because Microsoft can take many weeks to issue a patch for a known problem. Firefox patches come out within a few days after a problem is revealed. Which browser has the advantage here? For those who would keep up with the Firefox updates, I give the nod to Firefox on this particular issue. For procrastinators, maybe IE is better but future versions of Firefox are supposed to also update automatically. Note added later: Firefox version 1.5 is scheduled for release at the end of November, 2005. It contains an automatic update feature and that removes any advantage IE had for procrastinators.

There are also other security factors such as ActiveX, which I have discussed in detail on another page. On the issue of ActiveX, individual PC users will have to balance convenience with safety to decide on a browser. Knowledgeable users can configure IE to avoid ActiveX problems but I wonder how many average PC users will actually do what’s necessary. From a theoretical point of view, I think Firefox is safer because it doesn’t support ActiveX but from a practical view it can sometimes be inconvenient that some pages won’t work for any browser but IE.

What about the average PC user who has an older system with Windows 98/Me? These people are totally ignored by most commentators but there are still quite a few of them around. They will be missing a lot of the security that Microsoft has added to IE in Windows XP SP2. Personally, I think that these systems are safer with Firefox. However, there is the psychological barrier that many people have about installing a whole new browser when they already have one in place. Also, IE has to be used for certain sites and this is another obstacle to using Firefox. For these users, I think that the theoretical answer to question 2 clearly is Firefox. In practice, however, most of these users will probably stick with IE. Hopefully, they will have enough security measures in effect to obviate the newer IE exploits that they are exposed to.

Now we come to question 3. This one is easy to answer. It doesn’t matter what this group uses for a browser. These are the ones that do not use firewalls or do not install security updates or blithely click on any old link. They have much bigger problems than what browser to use. Unfortunately, their problems are our problems, too. This group is where most of the worms and Trojans hide out. It is also where the crackers get their “zombie” machines to carry out Distributed Denial of Service attacks and conduct various criminal activities.

I have framed the discussion in terms of who the intended user is. To really discuss the issue of browser security would require a much more complicated metric. However, I think the discussion helps illustrate my contention that measuring security is not simple and that there is no easy answer that applies to everybody for the question of which browser is safer to use. If you held a gun to my head and demanded that I choose a browser for everybody, I would personally pick Firefox. But you still have to use IE for some sites like Windows Update whether you like it or not. And I haven’t even mentioned Opera or Netscape.

I am very interested to hear what you have to say about all this. Log on to http://tips.vlaurie.com and let me know what you think.

Disabling ActiveX

Table I shows some settings that involve ActiveX in the Internet security zone for IE 7. Changing this small group of settings will still protect against many common security problems but is less of an obstacle for the average home PC user. Some ActiveX settings are already disabled by default in the Internet zone and those listed are additional settings that should also be disabled. The settings can be changed manually by going to the Internet Explorer menu Tools-Internet Options-Security-Internet-Custom level (Figure 1). Note that some Web sites use ActiveX and there may be loss of functionality. In particular Microsoft sites such as Windows Update will no longer work. To retain ActiveX capability, commonly visited sites that are secure can be placed in the Trusted Zone. Or, if desired, settings can be returned to their default values by clicking the Reset button shown in Figure 1 or by using the Default Level button.

Table I. Settings for Disabling ActiveX in IE 7

Category

Setting

Default

Recommended

ActiveX controls and plug-ins

Binary and script behaviors

Enable

Disable

Download signed ActiveX controls

Prompt

Disable

Run ActiveX controls and plug-ins

Enable

Disable

Script ActiveX controls marked safe for scripting

Enable

Disable

Figure 1. Dialog box for settings in Internet Security Zone

Quick way to change IE security zone settings.

Rather than changing the settings manually, an INF file that makes the changes in the Registry can be used. (Using INF files to make Registry changes is discussed on this page.) This has the advantage of providing a simpler method that is not subject to possible errors in entering setting changes by hand. The INF file that carries out the changes shown in Table I can be seen here. The text file shown can be copied and changed to an INF file by editing the extension. To make things even easier, I have also wrapped the INF file in an EXE package that can be downloaded here. To use it, simply left-click in the usual manner. If you do not like the results, the changes can be undone with another executable file that can be downloaded here. Note that any additional setting changes that you might have made will not restored by this file. As is true for any executable file, your security settings may give the standard warning.

Because of our litigious society, I must make the disclaimer that all files are provided as is, without guarantees, and that the user assumes all responsibility.

Responding to zero-day exploits

Many so-called zero-day exploits have been making use of ActiveX. In these cases,Microsoft often advises the work-around of disabling Activex until it issues a patch. The downloads provided above provide an easy way for PC users to apply the temporary defense.

Although changes have been made to Internet Explorer 7 (IE 7) to make it safer than IE 6, security issues remain and many of the same considerations discussed for IE 6 are also pertinent to IE 7. In fact, possible exploits using active scripting surfaced immediately after the release of IE 7 to the general public. The general discussion of security zones in IE that was given previously applies here and should be read for background. The recommended settings for the Internet security zone given below should be used together with a system of adding frequently visited sites that are known to be safe to the Trusted Zone.

There are quite a few settings and the particular recommendations given in the table below are but one of many possible combinations. The recommended settings can be modified to suit a PC user’s particular pattern of surfing. Thus, you may wish to experiment to find a combination best for your own purposes. For example, many pages use scripts and you may wish to allow certain aspects. Also, it is a common practice for pages to use META REFRESH for redirection. It is also used by bad sites to trap your browser or to fool you. I have left it enabled but you may wish to disable it. Another setting that some may wish to disable is “File download” although I have left it enabled.

The recommended settings below may not suit everybody and may even be irritating to some. Therefore, do not undertake to change anything on your computer unless you know how to get back to where you started.

Background of ActiveX Controls

Before tackling ActiveX, I need to say just a little about the general way programs are designed these days. A lot of use is made of what the programmers call objects. These are individual modules designed to carry out specific tasks or functions. They can then be plugged into any program that has an interface set up to communicate with them. In this way, a set of objects can be used as building blocks to modify and augment a variety of programs. Thus, a single separate entity can provide functionality for many different programs. In this way, programs do not have to keep reinventing the wheel but can call on an object for implementing some particular procedures. Microsoft has been a leader in this way of doing things.

What ActiveX controls do

“ActiveX” is a name probably dreamed up by the marketing people at Microsoft. It has as much intrinsic meaning as “cougar” does for a make of automobile. It refers to a somewhat loosely defined group of methods developed by Microsoft for sharing information and functionality among programs. One of these technologies is called “ActiveX controls.” These are objects that are like small programs or “applets” and a number of Microsoft programs like Office and Internet Explorer (IE) are designed to be able to interact with them. An example is a spell checker. Since Word comes with a spell checker, other Microsoft programs such as Outlook Express can make use of it. In fact, any program with the appropriate interface can use this spell checker.

This built-in interactivity between various components and programs leads to greatly increased versatility and flexibility. Furthermore, programmers can easily create new ActiveX controls with Visual Basic , C++, and other programming languages. One place where ActiveX controls are very common is in Internet Explorer. An ActiveX control can be automatically downloaded and executed by Internet Explorer. Once downloaded, an ActiveX control in effect becomes part of the operating system. For example, IE cannot read PDF files by itself but can do so with an ActiveX control from Adobe. Similarly, IE needs a control to display Flash.

Security problems

The interactivity and ease of programming of ActiveX controls has a price and these controls are a major source of security problems. Sad to say, unscrupulous types have taken advantage of the ActiveX control technology to place malware on unwary computer users. A lot of spyware and adware is downloaded as ActiveX controls. Microsoft tightened up the security in Windows XP Service Pack 2 and then some more in Internet Explorer 7 but security issues remain. Careful attention to what you download and configuring the ActiveX settings in Internet Explore for greater safety will go a long way towards obviating problems. Support for ActiveX by Internet Explorer can be completely disabled but that breaks useful functions as well as blocking malware. For more details on the security settings for ActiveX in Internet Explorer see this table listing the different zone settings as well as a tutorial on configuring IE. ActiveX is a useful technology and the trick is to find the right balance between convenience and security that is appropriate to your usage patterns and technical skills.

As discussed on the previous page , increasing the security for the Internet security zone of Internet Explorer may break some reputable sites that you use regularly . The solution is to add these sites to the Trusted zone, which will restore their functionality. The procedures described here will work for either IE 6 oe IE 7. Open Internet Explorer and go to Tools-Internet Options-Security.

Click the “Security” tab and choose the “Trusted Sites” icon.

Then click on the button “Sites”. A window will open, where you can add any sites that you wish to be in the Trusted zone. Be sure to remove the check by the entry “Require server verification (https:)….”

Enter the site of interest in the line provided. Site URLs can be typed in directly or entered by copying and pasting. A shortcut method of copying and pasting an URL from the IE address bar is to use the keyboardcommand ALT+D to select the Web address and then use CTRL+C to copy it to the Windows Clipboard. Then right-click in the space under “Add this Web site to the zone” and choose “Paste” from the context menu. The example below shows the NY Times site being added. Note that it is not an https site and that the appropriate box is unchecked. After entering a site click the “Add” button.

The site is now added to the list of trusted sites.

Enter the next site and repeat the procedure.

There is a “Remove” button (grayed out in the figure above), should you wish to take a site off the list.

Using wild cards

One disadvantage of using a complete URL like http://www.nytimes.com is that it can be too specific. For example, there are related addresses such as http://topics.nytimes.com and these will be treated as a separate URL. To place anything contained within the entire domain “nytimes.com” into the trusted zone, the asterisk wildcard can be used. An entry such as “*.nytimes.com” will put everything in the main domain into the trusted zone.

A shorter way

The above procedure can be tedious if you want to add a number of sites to the trusted zone. Fortunately, there is a quicker way. There is an old (unsupported) Internet 5 accessory from Microsoft called Power Tweaks that still works in both IE 6 and IE 7. It puts an entry into the Tools menu that allows any site that you are visiting to be added to the Trusted (or the Restricted) zone. It can be downloaded here.

Ransomware Guides

We are now dedicated in finding the latest ransomware threats. In 2016 alone worldwide they has been a growth of over 400% in ransomware infections. The latest threat that have encounter is Osiris file Ransomware.

Recommendations for Internet Zone

The Internet zone is where sites not specifically placed elsewhere are placed. Thus, the settings for this zone control most of the sites that you will go to on the Internet. Please be aware that increased security has a cost and that the settings given here will cause some sites to stop working properly. In particular, ActiveX and scripting have been disabled. Sites using these technologies will be crippled. This keeps the bad guys out but may interfere with one of your favorite sites. If a site is safe and is one that you use frequently , place it in the Trusted site zone, where ActiveX and scripting are enabled. Instructions on how to do that are on this page.

There are quite a few settings and the particular recommendations given in the table below are but one of many possible combinations. The recommended settings can be modified to suit a PC user’s particular pattern of surfing. Thus, you may wish to experiment to find a combination best for your own purposes. For example, many pages use scripts and you may wish to allow that. Also, it is a common practice for pages to use META REFRESH for redirection. It is also used by bad sites to trap your browser. I have left it enabled but you may wish to disable it.

The recommended settings below may not suit everybody and may even be irritating to some. Therefore, do not undertake to change anything on your computer unless you know how to get back to where you started.

Description of the “My Computer” or local Internet security zone

The “My Computer” zone is the local computer zone, which governs the security settings for opening HTML pages stored on your own system. These locally stored pages are deemed to be safe, which is normally a reasonable assumption. Also local pages may need access to the resources such as files that are located on your system and are therefore given a high degree of trust.

Unfortunately, there are a large number of cross-zone vulnerabilities, which writers of malware such as viruses, worms, etc. may use to their advantage. To help plug these security holes, one of the security changes made in the Windows XP Service Pack 2 update locks down the “My Computer” zone to control the running of scripts and ActiveX components. This increased security comes at a cost, however, since certain applications are thereby broken.

Configuring the “My Computer” Internet security zone

Users of older Windows operating systems will not receive the security updates for Internet Explorer that the Windows XP SP2 contains. In these cases it may be desirable to be able to configure the settings for the “My Computer” zone. (The following procedures do not apply to IE 6 in Windows XP SP2 or to IE 7.)

Configuring Internet Explorer zones is done through the “Tools- Internet Options ” menu. (A tutorial is available on another page.) The zone for “My Computer” is normally hidden but it can be made visible by editing the Registry so that this zone appears on the Security tab in the Internet Options dialog box, as shown below.

The Registry settings that have to be changed to make this zone visible are given in an article in the Microsoft Knowledge Base . The key that has to be edited for a particular user account is

Within the key is a DWORD value “Flags”. Setting the data value of the Flags value to 47 (in hexadecimal) causes the “My Computer”security zone to be displayed. Setting the data value of the Flags value to 21 (in hexadecimal) causes the “My Computer” security zone to be hidden.

Editing the Registry can be a parlous project so be sure to back up the Registry first. For those who understand how to use REG files, copy the text below, paste into Notepad, and save as “showmycomputer.reg” or name of your choice. Only those who can return their computer to a previous state should try this.